Earlier this month the American Bankers Association (ABA) has issued practical, simple advice which could dramatically enhance everyone’s online banking security. And, I predict, it won’t make any difference because people are unlikely to do it. Read the rest of this entry »
ABA Recommends Dedicated PC for Online Banking
January 22nd, 2010What the Google/China Hack Means to You
January 17th, 2010Friends and listeners to the Fresh Ubuntu Podcast will know that I frequently raise concerns about Google and the information that it acquires about all of us. My concerns normally are along the lines of “just imagine what Google can do with all of that information.” However, I’ve never brought up what could be an even bigger concern: “What if someone else were to get a hold of all of that information?” Read the rest of this entry »
Twitter Bans Common Passwords
January 12th, 2010Twitter recently published a list of 369 banned passwords which it will no longer accept on Twitter accounts. Regardless of whether or not you use Twitter, it is worth a minute or two to skim this list and see if you are using one of these passwords, on any system, or something similar, which could lead to an account compromise. Read the rest of this entry »
Book Review: I’m on Facebook – Now What???
December 25th, 2009I just read I’m on Facebook–Now What???: How to Get Personal, Business, and Professional Value from Facebook
Microsoft: “Please Upgrade from Internet Explorer 6.”
December 21st, 2009While Internet Explorer 6 on Windows XP will be supported until July 2010, the writing on the wall is fairly clear, and Microsoft is encouraging users to upgrade to IE 7 or IE 8. Additionally, we have been recommending alternative browsers for years. Read the rest of this entry »
Software Review: Thunderbird 3
December 15th, 2009After a long period of apparent stagnation, Mozilla Messaging, a wholly owned subsidiary of the Mozilla Foundation, has released the long-awaited Thunderbird 3 – its free, open-source email client. Thunderbird has been my favorite email client for several years now, as it does everything that Outlook Express or Windows Mail does (as far as I am concerned) and has a better track record for security, runs faster, and works on Windows, Mac OS X, and Linux. Read the rest of this entry »
Google Public DNS
December 4th, 2009Yesterday, Google announced its latest service: Google Public DNS. This service appears to be similar to the also-free OpenDNS. Read the rest of this entry »
What is the Purpose of Information Security? 60 Minutes Knows
November 11th, 2009I do not watch television, but a friend of mine pointed me to this week’s episode of CBS’ news documentary program 60 Minutes. This is a very good, low-tech illustration of the potential security threats which information security professionals are battling. This is the kind of stuff we are trying to prevent when we throw around terms like “malware,” “firewalls,” “intrusion prevention,” “audits,” and “security policy.”
While the show focuses on threats to the federal government and utilities, the same exact threats and methods of attack face every small business network on the Internet as well.
Small Businesses Continue to Lose Big
November 10th, 2009According to the Internet Crime Complain Center, fraud involving online banking credentials of small businesses continues to increase. From this November 3 article, they write
“…the attack vector is a “spear phishing” e-mail which contains either an infected file or a link to an infectious Web site. The… recipient is … a person … who can initiate funds transfers on behalf of the business… Once the user opens the attachment, or navigates to the Web site, malware is installed on the user’s computer…, which harvests the user’s corporate online banking credentials. Shortly thereafter, the subject either creates another user account from the stolen credentials or directly initiates a funds transfer masquerading as a legitimate user.
More than ever, anyone doing any sort of online banking needs to be very certain of the security of their computer, network, and the server on the other end of the transaction. Sadly, my personal experience has shown that most people banking online don’t know the first thing about online security, or are concerned for the wrong reasons.
My recommendation is that if you must do online banking, have a computer dedicated to this task. (I usually lose people around here, but bear with me.) The problem is that today some malware can be so insidious that it can remain undetected for long periods of time. A solution is to take an old computer, put a light Linux distribution onto it, and use Firefox or another alternative web browser instead of Internet Explorer on Windows. Readers of my personal blog may think that I am starting to sway toward this becoming a rant, but my recommendation is purely pragmatic. Linux and alternative browsers pose a much smaller attack vector, and, without getting into a religious Windows vs. open source debate, as a result they are more secure.
Think carefully the next time you log on to your bank or credit union account online and ask yourself “If a hacker got access to this account and drained all of the funds available, what would I do?” Is mitigating this risk by recycling an old computer with some free software worth the additional protection that this would afford? My answer is “absolutely.”
Bank Sued for Losses Due to Alleged Weak Security
September 29th, 2009In a previous post, I wrote how small businesses are being scammed by European cyber-hackers. In a related story, Computerworld reports how Pacto Construction Co. in Portland, ME is suing Ocean Bank of Delaware because the company lost hundreds of thousands of dollars due to allegedly weak security on the part of Ocean’s online banking system.
The main alleged weakness is the lack of two-factor authentication by Ocean Bank. While I am not sure that this places all of the blame in Ocean’s hands, and I think that Patco should be at least partially responsible for their losses if it is found that their own systems were compromised, a victory by the plaintiff in this case could set an interesting precedent to financial institutions who have not implemented strong authentication mechanisms in their online services. Banks and credit unions – take note! However, a victory by the defendant will likely send a very different signal, more to the tune of “If you bank online, you take your chances.” Small businesses and individuals – take note!
This week’s Data Security Podcast also has an excellent interview with the attorney who filed the suit on behalf of Patco.